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Abstract. We consider the problem of intruder deduction in security 
protocol analysis: that is, deciding whether a given message M can be 
deduced from a set of messages F under the theory of blind signatures 
and arbitrary convergent equational theories modulo associativity and 
commutativity (AC) of certain binary operators. The traditional formu- 
lations of intruder deduction are usually given in natural-deduction-like 
systems and proving decidability requires significant effort in showing 
that the rules are "local" in some sense. By using the well-known trans- 
lation between natural deduction and sequent calculus, we recast the 
intruder deduction problem as proof search in sequent calculus, in which 
locality is immediate. Using standard proof theoretic methods, such as 
permutability of rules and cut elimination, we show that the intruder de- 
duction problem can be reduced, in polynomial time, to the elementary 
deduction problems, which amounts to solving certain equations in the 
underlying individual equational theories. We further show that this re- 
sult extends to combinations of disjoint AC-convergent theories whereby 
the decidability of intruder deduction under the combined theory reduces 
to the decidability of elementary deduction in each constituent theory. 
Although various researchers have reported similar results for individ- 
ual cases, our work shows that these results can be obtained using a 
systematic and uniform methodology based on the sequent calculus. 

Keywords: AC convergent theories, sequent calculus, intruder deduc- 
tion, security protocols. 



1 Introduction 

One of the fundamental aspects of the analysis of security protocols is the model 
of the intruder that seeks to compromise the protocols. In many situations, such 
a model can be described in terms of a deduction system which gives a formal ac- 
count of the ability of the intruder to analyse and synthesize messages. As shovifn 
in many previous works (see, e.g., [2161917] ). finding attacks on protocols can 
often be framed as the problem of deciding whether a certain formal expression 
is derivable in the deduction system which models the intruder capability. The 
latter is sometimes called the intruder deduction problem, or the (ground) reach- 
ability problem. A basic deductive account of the intruder's capability is based 
on the so-called Dolev-Yao model, which assumes perfect encryption. While this 



model has been applied fruitfully to many situations, a stronger model of intrud- 
ers is needed to discover certain types of attacks. A recent survey [TT] shows that 
attacks on several protocols used in real-world communication networks can be 
found by exploiting algebraic properties of encryption functions. 

The types of attacks mentioned in have motivated many recent works 
in studying models of intruders in which the algebraic properties of the oper- 
ators used in the protocols are taken into account j9l7llll3ll7ll0| . In most of 
these, the intruder's capability is usually given as a natural-deduction-like de- 
ductive system. As is common in natural deduction, each constructor has a rule 
for introducing the constructor and one for eliminating the constructor. The 
elimination rule typically decomposes a term, reading the rule top-down: e.5., a 
typical elimination rule for a pair (M, N) of terms is: 

r h (M, N) 
M 

Here, F denotes a set of terms, which represents the terms accumulated by the 
intruder over the course of its interaction with participants in a protocol. While 
a natural deduction formulation of deductive systems may seem "natural" and 
may reflect the meaning of the (logical) operators, it does not immediately give 
us a proof search strategy. Proof search means that we have to apply the rules 
bottom up, and as the above elimination rule demonstrates, this requires us to 
come up with a term N which might seem arbitrary. For a more complicated 
example, consider the following elimination rule for blind signatures [15tl6T5] . 

r h sign(blind(A/,i?),X) FhR 
r h sign(Af, K) 

The basis for this rule is that the "unblinding" operation commutes with signa- 
ture. Devising a proof search strategy in a natural deduction system containing 
this type of rule does not seem trivial. In most of the works mentioned above, 
in order to show the decidability results for the natural deduction system, one 
needs to prove that the system satisfies a notion of locality, i.e., in searching for 
a proof for F h M, one needs only to consider expressions which are made of 
subterms from F and M. In addition, one has to also deal with the complication 
that arises from the use of the algebraic properties of certain operators. 

In this work, we recast the intruder deduction problem as proof search in 
sequent calculus. A sequent calculus formulation of Dolev-Yao intruders was 
previously used by the first author in a formulation of open bisimulation for 
the spi-calculus [19] to prove certain results related to open bisimulation. The 
current work takes this idea further to include richer theories. Part of our mo- 
tivation is to apply standard techniques, which have been well developed in 
the field of logic and proof theory, to the intruder deduction problem. In proof 
theory, sequent calculus is commonly considered a better calculus for studying 
proof search and decidability of logical systems, in comparison to natural de- 
duction. This is partly due to the so-called "subformula" property (that is, the 
premise of every inference rule is made up of subterms of the conclusion of the 
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rule), which in most cases entails the decidability of the deductive system. It is 
therefore rather curious that none of the existing works on intruder deduction 
so far uses sequent calculus to structure proof search. We consider the ground 
intruder deduction problem (i.e., there are no variables in terms) under the class 
of AC- convergent theories. These are equational theories that can be turned into 
convergent rewrite systems, modulo associativity and commutativity of certain 
binary operators. Many important theories for intruder deduction fall into this 
category, e.g., theories for exclusive-or |9l7j . Abelian groups [3], and more gen- 
erally, certain classes of monoidal theories [TD] . 

We show two main results. Firstly, we show that the decidability of intruder 
deduction under AC-convergent theories can be reduced, in polynomial time, to 
elementary intruder deduction problems^ which involve only the equational theo- 
ries under consideration. Secondly, we show that the intruder deduction problem 
for a combination of disjoint theories . . . , En can be reduced, in polynomial 
time, to the elementary deduction problem for each theory Ei . This means that 
if the elementary deduction problem is decidable for each Ei , then the intruder 
deduction problem under the combined theory is also decidable. We note that 
these decidability results are not really new, although there are slight differences 
and improvements over the existing works (see Section [7|) . Our contribution is 
more of a methodological nature. We arrive at these results using rather standard 
proof theoretical techniques, e.g., cut- elimination and permutability of inference 
rules, in a uniform and systematic way. In particular, we obtain locality of proof 
systems for intruder deduction, which is one of the main ingredients to decid- 
ability results in |9|7|13|12] , for a wide range of theories that cover those studied 
in these works. Note that these works deal with a more difficult problem of de- 
ducibility constraints, which models active intruders, whereas we currently deal 
only with passive intruders. As future work, we plan to extend our approach to 
deal with active intruders. 

The remainder of the paper is organised as follows. Section [2] presents two 
systems for intruder theories, one in natural deduction and the other in sequent 
calculus, and show that the two systems are equivalent. In Section[3l the sequent 
system is shown to enjoy cut-elimination. In Section [4l we show that cut-free 
sequent derivations can be transformed into a certain normal form. Using this 
result, we obtain another "linear" sequent system, from which the polynomial 
reducibility result follows. Section [5] discusses several example theories which can 
be found in the literature. Section [6] shows that the sequent system in Section [2] 
can be extended to cover any combination of disjoint AC-convergent theories, 
and the same decidability results also hold for this extension. Detailed proofs 
can be found in the appendix. 

2 Intruder deduction under AC convergent theories 

We consider the following problem of formalising, given a set of messages F and 
a message M, whether M can be synthesized from the messages in F. We shall 
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write this judgment a.s F h- M. This is sometimes cahed the 'ground reachabihty' 
problem or the 'intruder deduction' problem in the literature. 

Messages are formed from names, variables and function symbols. We shall 
assume the following sets: a countably infinite set N of names ranged over by a, 
b, c, d, m and n; a countably infinite set V of variables ranged over by x, y and 
z; and a finite set Ec = {pub. sign, blind, (., .), {.}.} of symbols representing the 
constructors. Thus pub is a public key constructor, sign is a public key encryp- 
tion function, blind is the blinding encryption function (as in |15I16I5| ). (., .) is 
a pairing constructor, and {.}. is the Dolev-Yao symmetric encryption function. 
Additionally, we also assume a possibly empty equational theory E, whose sig- 
nature is denoted with Se- We require that Sc n Se — 00 Function symbols 
(including constructors) are ranged over by /, g and h. The equational theory 
E may contain at most one associative-commutative function symbol, which we 
denote with ©, obeying the standard associative and commutative laws. We re- 
strict ourselves to equational theories which can be represented by terminating 
and confluent rewrite systems, modulo the associativity and commutativity of 
©. We consider the set of messages generated by the following grammar 

M,N -.^alx] pub(A/) | s\gn{M,N) \ blind(M, A^) 
I {M,N) I {M}n I /(Mi,...,Mfc). 

The message pub(M) denotes the public key generated from a private key M; 
sign(M, A) denotes a message M signed with a private key N; blind(M, A) 
denotes a message M encrypted with TV using a special blinding encryption; 
(M, TV) denotes a pair of messages; and {M}n denotes a message M encrypted 
with a key TV using a Dolev-Yao symmetric encryption. The blinding encryption 
has a special property that it commutes with the sign operation, i.e., one can 
"unblind" a signed blinded message sign(blind(T\/r, r), fc) using the blinding key 
r to obtain sign(M, A:). This aspect of the blinding encryption is reflected in its 
elimination rules, as we shall see later. We denote with V{M) the set of variables 
occurring in M. A term M is ground if V{M) = 0. We shall be mostly concerned 
with ground terms, so unless stated otherwise, we assume implicitly that terms 
are ground (the only exception is Proposition [5] and Proposition [3]) . 

We shall use several notions of equality so we distinguish them using the 
following notation: we shall write TVf = A to denote syntactic equality, M = 
N to denote equality modulo associativity and commutativity (AC) of ©, and 
AI RiT A to denote equality modulo a given equational theory T. We shall 
sometimes omit the subscript in «t if it can be inferred from context. 

Given an equational theory E, we denote with Re the set of rewrite rules 
for E (modulo AC). We write M -^r^ when M rewrites to A using one 
application of a rewrite rule in i?^;. The definition of rewriting modulo AC is 
standard and is omitted here. The reflexive-transitive closure of -^r^ is denoted 
with — . We shall often remove the subscript Re when no confusion arises. 
A term M is in E -normal form if M -/^r^ N for any N. We write M [e to 

^ This restriction means that intruder theory such as homomorphic encryption is ex- 
cluded. Nevertheless, it still covers a wide range of intruder theories. 



4 



denote the normal form of M with respect to the rewrite system Re^ modulo 
commutativity and associativity of ©. Again, the index E is often omitted when 
it is clear which equational theory we refer to. This notation extends straightfor- 
wardly to sets, e.g., r[ denotes the set obtained by normalising all the elements 
of r. A term M is said to be headed by a symbol / if A/ = f{Mi, . . . , Affc). M 
is guarded if it is either a name, a variable, or a term headed by a constructor. 
A term M is an E-alien term if M is headed by a symbol / ^ Se- It is a pure 
E-term if it contains only symbols from Sej names and variables. 

A context is a term with holes. We denote with C'^ [] a context with fc-hole(s). 
When the number k is not important or can be inferred from context, we shall 
write C[. . .] instead. Viewing a context C^[] as a tree, each hole in the context 
occupies a unique position among the leaves of the tree. We say that a hole 
occurrence is the i-th hole of the context C'^ [] if it is the i-th hole encountered 
in an inorder traversal of the tree representing C'' [] . An £^-context is a context 
formed using only the function symbols in Ee- We write C[Mi, . . . ,Mk] to de- 
note the term resulting from replacing the holes in the fc-hole context C*^ [] with 
Ml , . . . , Mfc , with Mi occuping the i-th hole in C'' [] . 

Natural deduction and sequent systems The standard formulation of the judg- 
ment r h- M is usually given in terms of a natural-deduction style inference 
system, as shown in Figure [TJ We shall refer to this proof system as TV and 
write r M if r \- M is derivable in A/". The deduction rules for Dolev-Yao 
encryption is standard and can be found in the literature, e.g., [6|9j . The blind 
signature rules are taken from the formulation given by Bernat and Comon- 
Lundh [5|. Note that the rule sign^ assumes implicitly that signing a message 
hides its contents. An alternative rule without this assumption would be 

r h sign (A/, is:) 

r h M 

The results of the paper also hold, with minor modifications, if we adopt this 
rule. 

A sequent F \- M is in normal form if M and all the terms in F are in normal 
form. Unless stated otherwise, in the following we assume that sequents are in 
normal form. The sequent system for intruder deduction, under the equational 
theory E, is given in Figure O We refer to this sequent system as S and write 
F W-g M to denote the fact that the sequent r' h M is derivable in S. 

Unlike natural deduction rules, sequent rules also allow introduction of terms 
on the left hand side of the sequent. The rules pl, e^, sign^, blindii, blindL2, 
and gs are called left introduction rules (or simply left rules), and the rules 
PR, eii,s\gnj^,h\'\ndji are called right introduction rules (or simply, right rules). 
Notice that the rule gs is very similar to cut, except that we have the proviso 
that A is a subterm of a term in the lower sequent. This is sometimes called 
analytic cut in the proof theory literature. Analytic cuts are not problematic as 
far as proof search is concerned, since it still obeys the sub-formula property. 

We need the rule gs because we do not have introduction rules for function 
symbols in Se, in contrast to natural deduction. This rule is needed to "abstract" 
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Mer , {m}k rhK rhK ^ 

r\- M r\- M r\- {m}k 

rh{M,N) rh(M,N) rhM r^N ^ 

Pe Pe Pi 

r-r M N r\- {M,N) 

rhs\gn{A4,K) rhpub(A') . phM FhK . 
TTm "Sn^ rhsign(M,i^) "^"^ 

r h blind (Af,7^) r^K rhM rhK ,,. , 
TTm ^''"^-^ rhbiind(M,7^) ^''"^^ 

rh sign(blind(A'/,i?),7i') FhR 
r h sign (M,i^) ^''"^^^ 

Fig. 1. System Af: a natural deduction system for intruder deduction 



£^-alien subterms in a sequent (in the sense of the variable abstraction technique 
common in unification theory, see e.g., |18l4j ). which is needed to prove that 
the cut rule is redundant. For example, let i? be a theory containing only the 
associativity and the commutativity axioms for 0. Then the sequent a, 6 h 
(a, 6) ® a should be provable without cut. Apart from the gs rule, the only other 
way to prove this is by using the id rule. However, id is not applicable, since no 
£'-context C[...] can obey C[a, b] « (a, 6) ®a because i?-contexts can contain only 
symbols from and thus cannot contain (., .). Therefore we need to "abstract" 
the term (a, b) in the right hand side, via the gs rule: 

a,b\- a a,b\-b 

— ■ PR. id 

a, 5 h (a, b) a, 6, (a, b) h (a, b) (B a 

a,b\- (a, b) (B a 

The third id rule instance (from the left) is valid because we have C[{a, b),a] = 
{a, b) ® a, where C[., .] = [.] © [.]. 

Provability in the natural deduction system and in the sequent system are re- 
lated via the standard translation, i.e., right rules in sequent calculus correspond 
to introduction rules in natural deduction and left rules corresponds to elimi- 
nation rules. The straightforward translation from natural deduction to sequent 
calculus uses the cut rule. 

Proposition 1. The judgment F \- M is provable in the natural deduction sys- 
tem J\f if and only if Fl h Ml is provable in the sequent system S. 



3 Cut elimination for S 

We now show that the cut rule is redundant for S. 
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M^E C[Mi,...,Mfc] 

C[ ] an S-context, and Mi,...,Mk € F F \- M F,M'rT 

tFm TTt 

F,{M,N),M,N^T rhM FhN 

F,{M,N)\-T ^ F\- (M, N) ^ 

F,{M}k'^K F,{M}K,M,Kh N r^M FhK 

F, {M}k h iV r h {M}k 

F,s\gn{M,K),puh{L),M^ N . ^ Fh K ■ 

r,sign(M,7^),pub(L) h TV ^ T h sign (Af, A') ^ 

r,blind(M,i^) hi^ r,blind(M,7^),M,i^ hiV T h if , 
r,blind(A/,A-)hiV rhblind(A/,i^) ''''"^^ 

r,sign(blind(M, J?),is:) h T, sign(blind(M, ii), sign(M, i^), 7? h TV 
F,s\gn{b\\nA{M,R),K) h 

r h yl F,A^ M 



blindi 



gs, A is a guarded subterm of _r U {M} 



F h M 

Fig. 2. System 5: a sequent system for intruder deduction. 



Definition 1. An inference rule R in a proof system T> is admissible for T) if for 
every sequent F h M derivable in V, there is a derivation of the same sequent 
in T) without instances of R. 

The cut- elimination theorem for S states that the cut rule is admissible for S. 
Before we proceed with the main cut elimination proof, we first prove a basic 
property of equational theories and rewrite systems, which is concerned with a 
technique called variable abstraction [1814] . 

Given derivation 7T, the height of the derivation, denoted by |7T|, is the 
length of a longest branch in 77. Given a normal term M, the size \M\ of M is 
the number of function symbols, names and variables appearing in M. 

In the following, we consider slightly more general equational theories than 
in the previous section: each AC theory E can be a theory obtained from a 
disjoint combination of AC theories . . . , where each Ei has at most one 
AC operator ®i. This allows us to reuse the results for a more general case later. 

Definition 2. Let E be a disjoint combination of AC convergent theories Ei, 
. . . , En- A term M is a quasi- £'i term if every Ei-alien subterm of M is in 
E-normal form. 

For example, let E = {h{x,x) ~ x). Then h{{a,b),c) is a quasi E'-term, 
whereas h{{a,b), {h{a,a),b)) is not, since its i?-alien subterm {h{a,a),b) is not 
in its i?- normal form (a, b). Obviously, any E normal term is a quasi Ei term. 

In the following, given an equational theory E, we assume the existence of 
a function ve^ which assigns a variable from V to each ground term such that 
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ve{M) — ve{N) if and only if M N. In other words, ve assigns a unique 
variable to each equivalence class of ground terms induced hy ~e ■ 

Definition 3. Let E be an equational theory obtained by disjoint combination of 
AC theories Ei, . . . , En- The Ei abstraction function Fe^ is a function mapping 
ground terms to pure Ei terms, defined recursively as follows: 

{u, if u is a name, 

/(Fe,(ui), . . .,FE,{uk)), ifu = f{ui, ... ,Uk) and f £ Se,, 
ve{u), otherwise. 

It can be easily shown that the function Fe^ preserves the equivalence relation 
=. That is, if M = N then FE,iM) = Fe,{N). 

Proposition 2. Let E be a disjoint combination of Ei, . . . , En. If M is a quasi 
Ei term and M — N, then N is a quasi Ei term and Fe^^M) ^Jj^ FE^iN). 

Proposition 3. Let E be a disjoint combination of Ei, . . . , En. If M and N are 

quasi Ei terms and Fe;(M) ^Jj^ Fe;(7V), then M N. 

We now show some important proof transformations needed to prove cut 
elimination, i.e., in an inductive argument to reduce the size of cut terms. In the 
following, when we write that a sequent r' I- M is derivable, we mean that it is 
derivable in the proof system S, with a fixed AC theory E. 

Lemma 1. Let U be a derivation of Mi, . . . , Mj. h N. Then for any M{, . . . , 

and N' such that Mi = M^ and N = N' , there is a derivation U' of 
M(, . . . , h N' such that \n\ = |i7'|. 

Lemma 2. Let X and Y be terms in normal form and let f be a binary con- 
structor. If r, f{X,Y) \- M is cut-free derivable, then so is r,X,Y\- M. 

The more interesting case in the proof of Lemma [His when F, f{X, Y) \- M 
is proved by an application of the id rule where f{X,Y) is active. That is, we 
have C[f{X, F), Mi, . . . , Mk] ~e M, where Mi, ... , Mk £ F, for some i;-context 
C[..]. Since M is in normal form, we have 

C[/(X,y),Afi,...,Mfc] ^* M. (1) 

There are two cases to consider in the construction of a proof for r,X,Y\- M. If 
/(X, Y) occurs as a subterm of M or F, then we simply apply the gs rule (bottom 
up) to abstract the term f{X,Y) and then apply the id rule. Otherwise, we use 
the variable abstraction techniques (Proposition[2]and Proposition[3]) to abstract 
f{X, Y) from the rewrite steps ([1]) above, and then replace its abstraction with 
X to obtain: C[X, Mi, . . . , M^] ^* M. That is, the id rule is applicable to the 
sequent F,X,Y V- M, with X taking the role of f{X, Y). 

Lemma 3. Let Xi, . . . , X^ be normal terms and let 11 be a cut-free derivation 
of F, f{Xi, . . . , Xk)i \^ M , where f G Se- Then there exists a cut-free derivation 
n' ofF,Xi,...,XkhM.' 
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Lemma 4. Let Mi, . . . , Mk be terms in normal form and let C[. . .] be a k- 
hole E-context. If r,C[Mi, . . . , Mk] I h M is cut-free derivable, then so is 
r,Mi,...,Mk^ M. 

One peculiar aspect of the sequent system S is that in the introduction 
rules for encryption functions (including blind signatures), there is no switch of 
polarities for the encryption key. For example, in the introduction rule for {M}^, 
both on the left and on the right, the key K appears on the right hand side of a 
premise of the rule. This means that there is no exchange of information between 
the left and the right hand side of sequents, unlike, say, typical implication rules 
in logic. This gives rise to an easy cut elimination proof, where we need only to 
measure the complexity of the left premise of a cut in determining the cut rank. 

Theorem 1. The cut rule is admissible for S. 

4 Normal derivations and decidability 

We now turn to the question of the decidability of the deduction problem F h- M. 
This problem is known already for several AC theories, e.g., exclusive-or, abelian 
groups and their extensions with a homomorphism axiom |9I7I13I12|T| . What we 
would like to show here is how the decidability result can be reduced to a more 
elementary decision problem, defined as follows. 

Definition 4. Given an equational theory E , the elementary deduction prob- 
lem for E, written F We M, is the problem of deciding whether the id rule is 
applicable to the sequent F h M (by checking whether there exists an E-context 
C[. . .] and terms Mi, . . . , Mk <E F such that C[Mi, Mk] M). 

Note that as a consequence of Proposition [2] and Proposition [Sj in checking 
elementary deducibility, it is enough to consider the pure E equational problem 
where all E-alien subterms are abstracted, i.e., we have 

C[Mi, Mk] ~E M iff C[Fe{Mi), FE{Mk)] ~e Fe{M). 

Our notion of elementary deduction corresponds roughly to the notion of "recipe" 
in [1], but we note that the notion of a recipe is a stronger one, since it bounds 
the size of the equational context. 

The cut free sequent system does not strictly speaking enjoy the "sub- 
formula" property, i.e., in blindi2, the premise sequent has a term which is not 
a subterm of any term in the lower sequent. However, it is easy to see that, 
reading the rules bottom up, we only ever introduce terms which are smaller 
than the terms in the lower sequent. Thus a naive proof search strategy which 
non-deterministically tries all applicable rules and avoids repeated sequents will 
eventually terminate. This procedure is of course rather expensive. We show that 
we can obtain a better complexity result by analysing the structures of cut-free 
derivations. Recall that the rules pi, e^, sigrij;^, blind^i, blindL2 and gs are called 
left rules (the other rules are right rules). 
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rih^M r,{M}K,M,KhN , 

r — /e, where rAM\K tt? K 

r\- M r, {m}k \-n ' ,\ 

r,{M,N),M,NhT , r,s\gn{M,K),pub{L),Mh N . ^ 

; ^ 'P : : sign, A = L 

r,{M,N)\-T r,sign(M,A'),pub(L) h 

r,b\md(M,K),M,K \- N 

— ^ — ■ — ■ blindi, where r,h\\nd(M,K) IF^ K 

r, sign(blind(Af, R), K),s\gn{M, K),R\- N 
r,sign(blind(Af,i?),A:) h TV 

where T, sign(blind(M, i?), AT) Ih-R R. 
r,A\-M 

Is, where yi is a guarded subterm of _r U {M} and F \\-tz A. 



blindo 



r\- M 

Fig. 3. System £: a linear proof system for intruder deduction. 



Definition 5. A cut-free derivation U is said to be a normal derivation if it 

satisfies the following conditions: 

1. no left rule appears above a right rule; 

2. no left rule appears immediately above the left-premise of a branching left 
rule (i.e., all left rules except p^ and sign^J. 

Proposition 4. If F \- M is derivable then it has a normal derivation. 

In a normal derivation, the left branch of a branching left rule is provable 
using only right rules and id. This means that we can represent a normal deriva- 
tion as a sequence (reading the proof bottom-up) of sequents, each of which is 
obtained from the previous one by adding terms composed of subterms of the 
previous sequent, with the proviso that certain subterms can be constructed us- 
ing right-rules. Let us denote with F h-ji M the fact that the sequent F \- M 
is provable using only the right rules and id. This suggests a more compact 
deduction system for intruder deduction, called system given in Figure [3] 

Proposition 5. Every sequent F h M is provable in S if and only if it is 
provable in C. 

We now show that the decidability of the deduction problem F Ih^ M can 
be reduced to decidability of elementary deduction problems. We consider a 
representation of terms as directed acyclic graphs (DAG), with maximum sharing 
of subterms. Such a representation is quite standard and can be found in, e.g., 
[1], so we will not go into the details here. 

In the following, we denote with st{F) the set of subterms of the terms in 
F. In the DAG representation of F, the number of distinct nodes in the DAG 
representing distinct subterms of F co-incides with the cardinality of st{F). A 
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term M is a proper subterm of A/' if M is a subterm of N and M ^ N. We denote 
with pst{r) the set of proper subterms of F, and we define 

sstir) = {sign(M, N)\M,N e pst{r)}. 

The saturated set of F, written St{F), is the set 

St{F) =FU pst{F) U sst{F). 

The cardinaUty of St{F) is at most quadratic in tlic size of st{F). If F is repre- 
sented as a DAG, one can compute the DAG representation of St{F) in polyno- 
mial time, with only a quadratic increase of the size of the graph. Given a DAG 
representation of St{F U {M}), we can represent a sequent F h M by associat- 
ing each node in the DAG with a tag which indicates whether or not the term 
represented by the subgraph rooted at that node appears in F or M. Therefore, 
in the following complexity results for deducibility problem F AI (for some 
proof system S) , we assume that the input consists of the DAG representation of 
the saturated set St{FL){M}), together with approriate tags in the nodes. Since 
each tag takes only a fixed amount of space (e.g., a two-bit data structure should 
suffice), we shall state the complexity result w.r.t. the size of St{F U {M}). 

Definition 6. Let F \\-x> M be a deduction problem, where 2? is som,e proof sys- 
tem, and let n be the size of St{FU {M}). Let E be the equational theory associ- 
ated with V. Suppose that the elementary deduction problem in E has complexity 
0{f{m)), where m is the size of the input. Then the problem F Ih-p M is said 
to be polynomially reducible to the elementary deduction problem \\-e if it has 
complexity 0{n'^ x /(n)) for some constant k. 

A key lemma in proving the decidability result is the following invariant 
property of linear proofs. 

Lemma 5. Let 11 be an C-derivation of F h M. Then for every sequent F' h M' 
occurring in n, we have F' U {M'} C St{F U {M}). 

The existence of linear size proofs then follows from the above lemma. 

Lemma 6. // there is an C-derivation of F 'r M then there is an C-derivation 

of the same sequent luhose length is at m,ost \St{F U {Af})|. 

Another useful observation is that the left-rules of C are invertible; at any 
point in proof search, we do not lose provability by applying any left rule. Poly- 
nomial reducibility of \\-c to I^e can then be proved by a deterministic proof 
search strategy which systematically tries all applicable rules. 

Theorem 2. The decidability of the relation is polynomially reducible to the 
decidability of elementary deduction Ihg . 

Note that in the case where the theory E is empty, we obtain a ptime decision 
procedure for intruder deduction with blind signatures. 
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5 Some example theories 

We now consider several concrete AC convergent theories that are often used 
in reasoning about security protocols. Decidability of intruder deduction under 
these theories has been extensively studied |9l7llll3ll7ll0j . These results can be 
broadly categorized into those with explicit pairing and encryption constructors, 
e.g., |9ll7j . and those where the constructors are part of the equational theories, 
e.g., [lllOj . For the latter, one needs explicit decryption operators with, e.g., an 
equation like dec{{M}N, N) w M. Decidability results for these deduction prob- 
lems are often obtained by separating elementary deducibility from the general 
deduction problem. This is obtained by studying some form of normal deriva- 
tions in a natural deduction setting. Such a reduction, as has been shown in the 
previous section, applies to our calculus in a more systematic fashion. 

Exclusive-or. The signature of this theory consists of a binary operator and a 
constant 0. The theory is given by the axioms of associativity and commutativity 
of © together with the axiom x 0a; w and x(BO ^ x. This theory can be turned 
into an AC convergent rewrite system with the following rewrite rules: 

X (B X ^ and x (BO ^ x. 

Checking F \\-e M can be done in PTIME, as shown in, e.g., [7]. 

Abelian groups. The exclusive-or theory is an instance of Abelian groups, where 
the inverse of an element is the element itself. The more general case of Abelian 
groups includes an inverse operator, denoted with / here. The equality theory 
for Abelian groups is given by the axioms of associativity and commutativity, 
plus the theory {cc © « 0, a; © I{x) « 0}. The equality theory of Abelian groups 
can be turned into a rewrite system modulo AC by orienting the above equalities 
from left to right, in addition to the following rewrite rules: 

I{x®y) ^ I{x)®I{y) I{I{x))~^x 7(0)^0. 

One can also obtain an AC convergent rewrite system for an extension of Abelian 
groups with a homomorphism axiom involving a unary operator h: h{x © y) = 
h{x) © h{y). In this case, the rewrite rules above need to be extended with 

hix ® y) ^ h{x) (B h{y) h{0) h{I{x)) ^ I{h{x)). 

Decidability of elementary deduction under Abelian groups (with homomor- 
phism) can be reduced to solving a system of linear equations over some semirings 
(see [12] for details). 

6 Combining disjoint convergent theories 

We now consider the intruder deduction problem under a convergent AC theory 
E, which is obtained from the union of pairwise disjoint convergent AC theories 
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El, ... ^ En . Each theory Ei may contain an associative-commutative binary op- 
erator, which we denote with (Bi. We show that the intruder deduction problem 
under E can be reduced to the elementary deduction problem of each Ei. 

Given a term M — /(Afi, . . . , M^), where / is a function symbol (i.e., a 
constructor, an equational symbol or 0), the terms A'/i, . . . , Mk are called the 
immediate subterms of M. Given a term M and a subterm occurrence N in M, 
we say that is a cross-theory subterm of M if N is headed with a symbol 
/ G and it is an immediate subterm of a subterm in M which is headed by 
a symbol g G Sej, where i ^ j. We shall also refer to N as an Eij -subterm of 
M when we need to be explicit about the equational theories involved. 

Throughout this section, we consider a sequent system 2?, whose rules are 
those of S, but with id replaced by the rule below left and with the addition of 
the rule below right where is a cross-theory subterm of some term in ru{M}: 



The analog of Proposition [T] holds for T>. Its proof is a straightforward adap- 
tation of the proof of Proposition [1] 

Proposition 6. The judgment F \~ M is provable in the natural deduction sys- 
tem TV, under theory E, if and only if F [ ^ M [ is provable in the sequent 
system V. 

Cut elimination also holds for V. Its proof is basically the same as the proof 
for iS, since the "logical structures" (i.e., those concerning constructors) are the 
same. The only difference is in the treatment of abstracted terms (the rules gs 
and cs). In T) we allow abstraction of arbitrary cross-theory subterms, in addition 
to guarded subterm abstraction. The crucial part of the proof in this case relies 
on the variable abstraction technique (Proposition [5] and Proposition [3]), which 
applies to both guarded subterm and cross-theory subterm abstraction. 

Theorem 3. The cut rule is admissible for T>. 

The decidability result for S also holds for T>. This can be proved with 
straightforward modifications of the similar proof for 5, since the extra rule 
cs has the same structure as gs in S. It is easy to see that the same normal 
forms for S also holds for T), with cs considered as a left-rule. It then remains to 
design a linear proof system for T>. We first define the notion of right-deducibility: 
The relation F IhTj-p M holds if and only if the sequent F h M is derivable in 
V using only the right rules. We next define a linear system for V, called CV, 
which consists of the rules of C defined in the previous section, but with the 
proviso F Ih^j, M changed to F l^izv M, and with the additional rule: 



where i? is a cross-theory subterm of some term in U {M} and F \\-tit> R- 




idsi 



Fh N F,Nh M 
Fh AI 



r h A/ 



cs 



F,R^ M 
Fh M 



Ics 
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Proposition 7. A sequent F \- M is provable in V if and only if it is provable 
in CD. 

The notion of polynomial reducibility is slightly changed. Suppose each ele- 
mentary deduction problem in Ei is bounded by 0{f{m)). Let m be the size of 
St{r U {M}). Then the deduction problem F Ih-p M is polynomially reducible 
to \'^En ■ • ■ I ll"B„ if it has complexity 0(m^ f{m))^ for some constant k. 

Theorem 4. The decidability of the relation lh£xj is polynomially reducible to 
the decidability of elementary deductions W^Exi ■ ■ ■ , 

7 Conclusion and related work 

We have shown that decidability of the intruder deduction problem, under a 
range of equational theories, can be reduced to the simpler problem of elementary 
deduction, which amounts to solving equations in the underlying equational 
theories. This reduction is obtained in a purely proof theoretical way, using 
standard techniques such as cut elimination and permutation of inference rules. 

There are several existing works in the literature that deal with intruder 
deduction. Our work is more closely related to, e.g., [9|12|17j . in that we do not 
have explicit destructors (projection, decryption, unblinding), than, say, ll|10j . 
In the latter work, these destructors are considered part of the equational theory, 
so in this sense our work slightly extends theirs to allow combinations of explicit 
and implicit destructors. A drawback for the approach with explicit destructors 
is that one needs to consider these destructors together with other algebraic 
properties in proving decidability, although recent work in combining decidable 
theories [3] allows one to deal with them modularly. Combination of intruder 
theories has been considered in [813114] . as part of their solution to a more 
difficult problem of deducibility constraints which assumes active intruders. In 
particular, Delaune, et. al., |14| obtain results similar to what we have here 
concerning combination of AC theories. One difference between these works and 
ours is in how this combination is derived. Their approach is more algorithmic 
whereas our result is obtained through analysis of proof systems. 

It remains to be seen whether sequent calculus, and its associated proof 
techniques, can prove useful for richer theories. For certain deduction problems, 
i.e., those in which the constructors interact with the equational theory, there 
does not seem to be general results like the ones we obtain for theories with no 
interaction with the constructors. One natural problem where this interaction 
occurs is the theory with homomorphic encryption, e.g., like the one considered 
in [17] . Another interesting challenge is to see how sequent calculus can be used 
to study the more difficult problem of solving intruder deduction constraints, 
e.g., like those studied in [9l7|13j . 

Acknowledgement We thank the anonymous referees of earlier drafts of this pa- 
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by the AustraHan Research Council (ARC) Discovery Project DP0880549. 
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A Proofs 



A.l Proofs for Section [2] 

Lemma 7 (Weakening). Let U be a derivation of F \- M. If F C F' , then 
there exists a derivation 7T' of F' h M such that |iT| = |iT'|. 



Proof. By induction on |iT|. 



Fh Ml ■■■ Fh Mk 
Fh f{Mi,...,Mk) 



□ 



Lemma 8. // the judgment F h M is derivable in natural deduction system M 
then Fl h Ml is derivable in sequent system S. 

Proof. Let 77 be a natural deduction derivation oi F V- M . We construct a 
sequent derivation 77' of 7^| I- M[ by induction on |77|. The id rule translates 
to the id rule in sequent calculus; the introduction rules for constructors translate 
to the right-rules for the same constructors. If 77 ends with the «-rule, then the 
premise and the conclusion of the rules translate to the same sequent, hence 77' 
is constructed by induction hypothesis. It remains to show the translations for 
elimination rules and rules concerning f £ Se- 

— Suppose 77 ends with //, for some f & Ue- 



By induction hypothesis, we have sequent derivations 77^' of Fl h Mil j for 
each i £ {1, . . . ,k}. Lemma [71 apphed to the 77^', gives us another sequent 
derivation 77f of Fl , Mil , ■ ■ ■ , Afi-ii ^ M^l . We note that the sequent 

Fl ,Mil ,...,Mkl^ f{Mi,...,Mk)l 

is provable in the sequent system by an application of the id-rule. The deriva- 
tion 77' is then constructed by successive applications of the cut rule to this 
sequent with 77^', . . . , 77", where the i-th cut eliminates Mil ■ 
— Suppose 77 ends with pe ■ 

ill 

F h (A7, N) 



Note that (A7, N)l = (M| , iV| }. By induction hypothesis, we have a sequent 
derivation 77( of 7^ J. h (MJ, , iVJ, ), and since the sequent 

is derivable in sequent calculus (using an id rule followed by a p^-rule), we 
can use the cut rule to get a sequent derivation of Fl h M| . 
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— Suppose n ends with ce 



Hi 772 

r h {m}n r h iv 



By induction hypothesis, we have a sequent derivation 7T{ of Fl h {M| }jv^ 
and a sequent derivation of r[ h iVJ, . By Lemma [7l we have a derivation 
ila of ri , {Ml h Nl . We construct a sequent derivation for the sequent 

This can be done (in a bottom-up proof construction) by an apphcation of 
Ci, followed by two applications of id. Then U' is constructed by applying 
the cut rule to this sequent using n[ and U^. 

— Suppose n ends with sign^;: 

ill n2 

rhs\gn(M,K) rhpub(/n 

TTm ^'^"^ 

By induction hypothesis, we have a sequent derivation 7T{ and a sequent 
derivation ^f, respectively, 

n h sign(A7i , Ki ) and Fi h pub(7^i ). 

Let 772 be a derivation of 

ri,sign(Mi,7fi)hpub(7vi) 

obtained by an application of Lemma [7] to 772- Let 773 be the derivation 

ri ,sign(A7i ,Ki ),pub(7^i ),A7i h Mj ^ 
ri , sign(Mi , Ki ), pub(7^i ) h A7i ^'^"^ 

Then 77' is constructed by successive applications of 772 ^1 773. 

— The cases where 77 ends with blindfii is analogous to the case with es- 

— Suppose 77 ends with blind£;2: 



Hi 772 
r h sign(blind(A7,7?),7i:) FhR 

r h sign(A7, K) 



blind 



E2 



By induction hypothesis, we have a derivation 77{ and a derivation 772 of, 
respectively, 

ri h sign(blind(A7J, , 7?i ), Ki ) and Fi h Ri . 
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Let Us be the derivation 




blindL2 



sign(blind(Mi ,Ri ),Ki ). 
Then the derivation U' is constructed by a cut between n[ and iTs. 



□ 



Lemma 9. If F \- M is derivable in sequent system S then F \- M is derivable 

in natural deduction system Af. 

Proof. Let il be a sequent derivation of T h M. We construct a natural deduc- 
tion 77' of r' h M by induction on 77. 

- The right-introduction rules for S maps to the same introduction rules in 
jV. 77' in this case is constructed straightforwardly from the induction hy- 
pothesis using the introduction rules of Af. 

- If 77 ends with an id rule, i.e., M « C[Mi, . . . ,Mfe], for some Mi, . . . ,Mfe G T 
and E-context C[..], we construct a derivation 77i of T h C[Mi, . . . , Mk] by 
induction on the context C[. . .]. This is easily done using the // introduction 
rule in Af. The derivation 77' is then constructed from 77i by an application 
of the ?a-rule. 

- Suppose F = F' U {{U,V)} and 7T ends with pl : 



By induction hypothesis, we have an A/^-derivation 7T( of 7^', {U, V),U,V h 
M. The derivation 71' is constructed inductively from 77( by copying the 
same rule applications in 77{, except when 77{ is either 



7Ii 

,{U,V),U,V^M 
F', {U, V)\-M 



PL 



F,U,V\-U 



id 



or F,U,VhV 



id 



in which case, 77' i 



IS 



rh{u,v) 

F^U 



id 



F\-V 



id 



Pe 



and 



Pe 



respectively. 
- Suppose F = F' 



U and 77 ends with ej, ■ 



77i 772 
r h F F,U,V^ M 

F',{U}v^M 
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By induction hypothesis, we have an AA-derivation n[ of F \- V and an TV- 
derivation of r,U,V h M. n' is then constructed inductively from 
by applying the same rules as in 1X2, except when Tig is either 

id 7-r I — 77 id 



r,u,v\-u or r, f/, y h y 

in which case, U' is, respectively. 



id ^ 



r h {u}v r^v 
r\-u 

and n[. 

Suppose r = r' U {sign(A'', K), pub(L)} and 11 ends with sigrij;,: 

ill 

r',5\gn{N,K),pub{L),Nh M . 
r',s\gn{N,K),pub{L)h M ^'^"^ 

where L = K (hence L K). By induction hypothesis, we have an Af- 
derivation iT( of 

r', 5\gn{N, K), pub(L), iV h M. 

As in the previous case, the derivation 11' is constructed by imitating the 
rules of n{ , except for the following id case: 

id 

r',s\gn{N,K),pub{L),Nh N 

which is replaced by 

r',stgn{N,K),puh{L) h pub(L) 

id 



r',5\gn{N,K),pubiL)h s\gn{N,K) r ,s\gn{N, K),pub(L) \~ pub{K) . 

r,s\gn{N,K),pub{L)\- N ^'^"^ 

The case where U ends with blindii is similar to the case with e^. 
Suppose r = r'U {sign(blind(A'^,i?),ii:)} and n ends with blindi,2: 

ill il2 

r\-R r,s\gn{N,K),R\- M 
r',s\gn{b\\nd{N,R),K)\- M "^''"^^^ 

Similarly to the previous case, wc apply induction hypothesis to both 77i and 
112, obtaining il( and ilg- The derivation 11' is constructed by imitating the 
rules of iTg, but with the following id instances: 

id — / „ , — ;:: id 



r,s\gn{N,K),R^s\gn{N,K) r,s\gn{N,K), R\- R 

replaced by 

rhsign(blind(iV,i?),/4:) ThR jj;^ 

rhs\gn{N,K) and r h R. 
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Suppose n ends with gs: 

TTi 772 

A r, A h M 
■ gs 

By induction hypothesis, we have an TV-derivation 77( of 7^ h A and an J\f- 
derivation 772 of 7^, A h M. Again, as in the previous cases, we construct 77' 
inductively, on the height of 772, t>y imitating the rules in 772, except when 
772 ends with an instance of id of the form 

id 



r,AhA 

in which case, 77' is 77( . 



□ 



Proposition{l\ The judgment 7^ h M is provable in the natural deduction system 
A/" if and only if 7^ J. h MJ. is provable in the sequent system iS. 

Proof. Immediate from Lemma [S] and Lemma IHl □ 
A.2 Proofs for Section [3] 

Lemma 10. Let E be a disjoint combination of AC theories Ei, . . . , E„. Let 
M be a quasi Ei-term. If M N then N is also a quasi Ei term and 

Fe,{M) FeAN). 

Proof. By induction on the structure of M: 

— If M is a name then the lemma holds vacuously. 

— Suppose M = f{ui, . . . , Uk). There are two cases to consider: 

• The redex is in Uj . This case follows straightforwardly from the induction 
hypothesis and the definition of Fg;. . 

• The redex is M . Then there must be a rewrite rule in 7?^ of the form 

C[xi , . . . , Xri] ^ C \xi , . . . , Xn] 

where C[..] and C'[..] are 7i'i-context, such that 

M = {C[xi,...,xi])a and N = {C'[xi, . . . , xi])a 

for some substitution a. Note that since A7 is a quasi Ei term, it follows 
that each Xia is also a quasi Ei term. Hence N must also be a quasi 
Ei term. From the definition of 7^^;^ , we have the following equality (we 
abbreviate Fg. as F): 

F{M)=F{C[xi,...,xi]a) 

^C[F{xia),...,F{xia)] 
= C[xi, . . . , xi]a' 

where a' is the substitution {F{xia)/xi, . . . ,F{xia)/xi}. Similarly, we 
can show that F{N) = C'[xi, . . . , xi]a' . Therefore, we have F{M) -^r,^ 
F{N). 
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— Suppose M — g{ui, . . . , Uk) and g Se^ - Then M is an E'i-alien subterm of 
M , and since M is a quasi Ei term, M must be in _B-normal form. Therefore 
no reduction is possible, hence the lemma holds vacuously. 

Proposition\^ Let i? be a disjoint combination of . . . , £"„. If M is a quasi Ei 
term and M N, then is a quasi Ei term and Fe^{M) ^Jj^ Fe,{N). 

Proof. This follows directly from Lemma [TOl □ 

Proposition [3] Let £' be a disjoint combination of . . . , £"„. If M and N are 
quasi E, terms and Fe,{M) Fe,{N), then M N. 

Proof. It is enough to show that this holds for one-step rewrite Fe^ (M) -^Rj^ 
FEi (N). This can be done by induction on the structure of M . In particular, we 
need to show that a rewrite rule that applies to FEi{M) also applies to M. Let 
. . . , Xfc be the free variables in Fe^ {M). Let Mi, . . . , Mk be normal i?-terms 
such that VE{Mj) — Xj for each j E {1, . . . , k}, and 

cr = {Mi/xi,...,Mk/xk}. 

Then we can show by induction on the structure of M and and using the 
fact that they are quasi E'i-terms, that 

Fe, {M)a = M and Fe, {N)(7 = N. 

Note that for any rewrite rule in a rewrite system, by definition, we have that all 
the variables free in the right-hand side of the rule are also free in the left-hand 
side. Hence, the free variables of {N) are among the free variables in (M) 
since they are related by rewriting. 

Now suppose there is a rewrite rule in i?^; 

C[xi, . ..,xi\-^ C'[xi, ...,xi\ 

where C[.] and C'[.] are F^-contexts, such that FE^iM) = C[xi, . . . ,xi]9 and 
Fe^ (N) = C'[xi, . . . , xi]9, for some substitution a. Then we have 

M = Fe, {M)a = {C[xi,. . . , Xn]e)a = C[xi,. . . , x„] {0 o a) 

and 

N EE Fe, {N)a = {C'[xi,..., Xn]0)<J = . . . , o a). 

Hence we also have M ^n^^ N. □ 

Lemma [1] Let 77 be a derivation of Mi, . . . , h iV. Then for any M{, . . . , M^ 
and N' such that Mi = M[ and N = N' , there is a derivation 77' of M(, . . . , M^ h 
N' such that |77| = |77'|. 

Proof. By induction on |77|. □ 
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Lemma [2] Let X and Y be terms in normal form. If f{X, Y) h M is cut-free 
derivable, where / is a binary constructor, then r,X,Y\-Mis also cut-free 
derivable. 

Proof. Let 77 be a cut-free derivation of 7^, f{X, F) h M. We construct a cut-free 
derivation 77' oi r,X,Y h M by induction on \f{X,Y)\ with subinduction on 
|77|. The only non-trivial cases are when 77 ends with blindL2, acting on f{X, Y), 
and when 7T ends with id and f{X,Y) is used in the rule. We examine these 
cases in more details below. 

— Suppose 77 ends with blindL2, acting on f{X,Y), i.e., / = sign and X = 
h\\nd{N, R): 

TTi 7^2 
r,sign(blind(A^,7?),y) h 7? sign(blind(iV, 7?), F), sign(iV, y), J? h M 

r,sign(blind(A^,7?),y) h M '^''"^^ 

Applying the inner induction hypothesis (on proof height) to 77i and 772 we 
obtain two derivations 77( and 772 '^^ 

r,blind(iV,7?),y h 7? and T, blind(iV, 7?), y, sign(iV, y), 7? h M. 

Next we apply the outer induction hypothesis (on the size of f{X,Y)) to 
decompose sign(Af, y) in the latter sequent to get a derivation U!^ of 

r, blind(7V, R),N,Y,Rh M. 

The derivation 77' is constructed as follows: 

r, blind(7V, 7?), y h 7? blind(7V, R),N, Y.R^ M 

r,blind(7V,7?),yhA7 ''''"''^^ 

— Suppose 77 ends with id. The only non-trivial case is when f{X^Y) is used 
in the rule, that is, we have 

M«C[/(X,y)",Mi,...,M,] 

where Mi, . . . , Mu G 7^, C[. . .] is an 7?-context and f{X, Y) fills n-holes in 

C[. . .]. We distinguish several cases: 
• There is a guarded subterm A in M or some A'U such that /(X, Y) = A. 
Note that in this case A must be of the form f{X', Y') for some X' = X 
and y = y. In this case, 77' is constructed as follows: 

id 



r,x,Yh- f{x', Y') r, X, y, /(x', y) h m 
r,x,Yh M 

where S" is a derivation formed using id and the right rules for the 
constructor /. 
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• Suppose that there is no subterm A of M, Mi, . . . , Mk such that A = 
f{X, Y). Note that since M is in normal form, we have 

Clf(X,Yy\Mi,...,Mk] ^* M. 

and both C[f{X, F)", Afi, . . . , Mk\ and M are quasi i?-terms. Let x = 
v{f{X,Y)). It foUows from Proposition [2] that 

FE{C[f{X, r)", Afi, . . . , Mk]) - CK, Fb(Mi), . . . , F£(Mfc)] ^* Fe(M). 

Since no subterms of AI and Afi, . . . ,Mk are equivalent to f{X,Y), x 
does not appear in any of Fe{M), Fe{Mi), . . . , FE{Mk)- Now let a be a 
name that does not occur in F, X, Y or AI. Since rewriting is invariant 
under variable/name substitution, by substituting a for x in the above 
sequence of rewrites, we have 

F£(C[a", Afi, . . . , Mk]) = C[a'\FEiMi), FsiMk)] ^* Fe{,M). 

Now by Proposition [3l we have 

C[a",Mi,...,Mfe] ^* M. 

By substituting X for a in this sequence, we have 

C[X",Mi,...,A4] ^*nM. 

Thus, in this case, 77' is constructed by an application of id. 

□ 

Lemma [3] Let , . . . , Xk be normal terms and let 77 be a cut-free derivation 
of 7^, f{Xi, . . . , Xk)l h A7, where f ^ Se- Then there exists a cut- free derivation 
77' of r,Xi,...,Xfe h A7. 

Proof. By induction on |77|. The case where 77 ends with id, or rules in which 
f{Xi, . . . ,Xk)l is not principal, is trivial. The other cases, where 77 ends with 
a rule applied to f{Xi, . . . , Xk)i , are given in the following. 

— Suppose 77 ends withp^ on f{Xi, . . . , Xk)i ■ This means that f{Xi, . . . , Xk)i 
is a guarded term, i.e., it is a pair (U, V) for some U and V , and therefore 

f{Xi,...,Xk)^* {U,V). 

Let X = Fe{{U, V)). By Proposition [21 we have 

f{FEiXi,),...,FEiXk))^* X. 

Obviously, x has to occur in FsiXi) for some Xi. Without loss of generality 
we assume that i — 1. This means that there exists a subterm A of Xi such 
that A = {U',V') and U = U' and V = V. That is, Xi = C[{U',V')] for 
some context C[.]. 
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Let r' be the set T U {Xi, ...,Xk}. Then 77' is the derivation 
. , 77i 

r' h {W, V) r\ {u', V) h m 
r,c[{u',v%X2,...,Xk^ M 

The instance of id above is vahd since (C/, V) « f{Xi, . . . , X^) and Xi, . . . , 
Xk £ r. The derivation 77i is obtained by weakening 77 with Xi , . . . , Xk and 
applying Lemma [T] to replace {U,V) with its equivalent {X',Y'). The cases 
where f{Xi, . . . , Xk) i is headed with some other constructor are proved 
analogously. 
— Suppose 77 ends with gs on f{Xi, . . . , Xk)i : 

77i 772 

r'\-A r',A[-M 

■ as 

rj{Xi,...,Xk)i\- M 

where A is a guarded subterm of f{Xi, . . . ,Xk)i and 

r' = ru{fiXi,...,Xk)i }. 

Using a similar argument as in the previous case (utilising Proposition [5]) , 
we can show that A = A' for some A' which is either an 7?-alien subterm of 
some Xi (w.l.o.g., assume i — 1) or a guarded subterm of an 7<^-alien subterm 
of Xi. In either case, we have that Xi ~ C[A'] for some context C[.]. Then 
77' is 

r" h A' r", A' h A7 
r,Xi,...,Xkh M 

where F" ~ F U {Xi, . . . ,Xk} and 77{ and 772 obtained by applying the 
induction hypothesis on 77i and 772, followed by applications of Lemma [1] to 
replace A with its equivalent A'. 

□ 

Lemma[4] Let Mi, . . . , Mk be terms in normal form and let C[. . .] be a /c-hole E- 
context. If F, C[Mi, Mk]l \- M is cut-free derivable, then 7", Mi, ... , Mu h M 
is also cut-free derivable. 

Proof. By induction on the size of C[. . .], Lemma [1] and Lemma [3l □ 
Theorem [T] The cut rule is admissible for S. 

Proof. We give a set of transformation rules for derivations ending with cuts and 
show that given any derivation, there is a sequence of reductions that applies 
to this derivation, and terminates with a cut free derivation with the same end 
sequent. This is proved by induction on the height of the left premise derivation 
immediately above the cut rule. This measure is called the cut rank. As usual 
in cut elimination, we proceed by eliminating the topmost instances of cut with 
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the highest rank. So in the following, we suppose a given derivation U ending 
with a cut rule, which is the only cut in 77, and then show how to transform this 
to a cut free derivation 77'. 

The cut reduction is driven by the left premise derivation of the cut. We 
distinguish several cases, based on the last rule of the left premise derivation. 



1. Suppose the left premise of 77 ends with either pfj, cr, sign^j or blindij, thus 
77 is 

77i 7T2 
r h A7 r h TV 773 
rh/(A7,jV) r,fiM,N)^R 

r h 7? 

where / is a constructor and p is its right introduction rule. By Lemma[2l we 
have a cut free derivation of 7^, M, N h R. By applying Lemma [7] to 772, 
we also have a cut- free derivation 772 of 7^, M h iV such that |772| = |772|. 
The above cut is then reduced to 



III 

r h M 



r,Mh N r, M,Nh R 



r,Mh R 



cut 



rh R 



cut 



These two cuts can then be eliminated by induction hypothesis since their 
left premises are of smaller height than the left premise of 77. 
2. Suppose the left premise of the cut ends with a left rule acting on 7^. We 
show here the case where the left-rule has only one premise; generalisation 
to the other case (with two premises) is straightforward. Therefore 77 is of 
the form: 

ill 

M r,M^ R 
TFr '^^^ 

By inspection of the inference rules in Figure [21 it is clear that in the rule p 
above, we have 7^ C 7^'. We can therefore weaken 772 to a derivation 772 of 
r',M\- R with |772| = |77^|- The cut is then reduced as follows. 



ill 

r'\- M 



7^2 

r',Mh R 



r'h R 
r\- R 



cut 



The cut rule above p can be eliminated by induction hypothesis, the height 
of the left premise of the cut is smaller than the left premise of the original 
cut. 
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3. Suppose the left premise of the cut ends with gs, but using a subterm from 
the right hand side of the sequent, i.e., 77 is 

77i TTa 

r h c[A] r, c[A] h 7? 

TTr """"^ 

If C[.] is an empty context, then C[A] = A and the above cut reduces to 



77i 773 

r h v4 r, A h 7? 



cut 



This cut can be reduced by induction hypothesis, since the height of the left 
premise derivation (77i) is smaller than the left premise of the original cut. 
If C[.] is a non-empty context, the above cut reduces to the following two 
cuts: 

7T2 ^3 

jj^ r,Ah- C[A] r, A, C[A] h 7? 

rh A r,Ah R "^"^ 



r h 7? 



cut 



The derivation 7T3 is obtained by weakening 7T3 with A (Lemma [7|). Both 
cuts can be removed by induction hypothesis (the upper cut followed by the 
lower cut). 

4. Suppose the left premise of the cut ends with the id-rule: 



r\-M r,M\-R 
TTr 

where M — C[Mi, . . . , Mk] i and Mi, . . . , Mk G 7^. In this case, we apply 
Lemma |4] to 7Ti , hence we get a cut free derivation 77' of 7^ h 7?. 

□ 



A. 3 Proofs for Section H] 

Lemma 11. Let U be a cut- free derivation of F V- M. Then there is a cut- free 
derivation of the same sequent such that all the right rules appear above left 
rules. 

Proof. We permute any offending right rules up over any left rules. This is done 
by induction on the number of occurrences of the offending rules. We first show 
the case where 77 has at most one offending right rule. In this case, we show, by 
induction on the height of 77, that any offending right-introduction rule can be 
permuted up in the derivation tree until it is above any left-introduction rule. 
We show here a non-trivial case involving gs; the others are treated analogously. 
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Suppose n is as shown below at left where p denotes a right introduction rule for 
the constructor / and A is a guarded subterm of AI. By the weakening lemma 
(Lemma [7]), we have a derivation TTg oi F, A \- N with = iTTsI- The original 
derivation 11 is then transformed into the derivation shown below at right: 

77i 772 ^2 ^3 

r^A r,A^M n, n, r,A^M r,A^N 
TTm r^N „ r^A r,Ahf{M,N) 



r h /(A7, N) r h /(M, N) 



The rule p in the right premise can then be further permuted up (i.e., if 772 
or 7T3 ends with a left rule) by induction hypothesis. 

The derivation 77' is then constructed by repeatedly applying the above 
transformation to the topmost offending rules until all of them appear above 
left-introduction rules. □ 

Proposition [4] If 7^ h M is derivable then it has a normal derivation. 

Proof. Let 77 be a cut-free derivation of 7^ h M. By Lemma [TTJ we can assume 
without loss of generality that all the right rules in 77 appear above the left 
rules. We construct a normal derivation 77' of the same sequent by induction on 
the number of offending left rules in 77. 

We first consider the case where 77 has at most one offending left rule. Let S 
be a subtree of 77 where the offending rule occurs, i.e., S" ends with a branching 
left rule, whose left premise derivation ends with a left rule. We show by induction 
on the height of the left premise derivation of the last rule in S that S can be 
transformed into a normal derivation. There are two cases to consider: one in 
which the left premise derivation ends with a branching left rule and the other 
where it ends with a non-branching left rule. We consider the former case here, 
the latter can be dealt with analogously. So suppose S is of the form: 



nhN2 r^^Ni 773 

A h iVi ^ 7^3 h M' 

A h M' ^ 

where Li is a left rule, and 77i, 772 and 773 Sire normal derivations, 72 ^ 7"i and 
73 3 7^1. We first weaken 773 into a derivation 773 of 74 h M', where 74 — 7^2U73. 
Such a weakening can be easily shown to not affect the shape of the derivations 
(i.e., it does not introduce or remove any rules in 773). S is then transformed 
into 

7r2 ^3 

A h iV2 h M' ^ ^ 

; 

By inspection of the rules in Figure [2l it can be shown that this transformation 
is valid for any pair of left rules (Li,7y2). Note that this transformation may 
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introduce at most two offending left rules, i.e., if ili and/or II2 end with left 
rules. But notice that the left premise derivations of both Li and L2 in this case 
have smaller height than the left premise derivation of Li in S . By induction 
hypothesis, the right premise derivation of L2 can be transformed into a normal 
derivation, say 774, resulting in 

ill 7T4 

A h iVa 7^2 H M' ^ 



By another application of the induction hypothesis, this derivation can be trans- 
formed into a normal derivation. 

The general case where 77 has more than one offending rules can be dealt with 
by transforming the topmost occurrences of the left rule one by one following 
the above transformation. □ 



Proposition[5] Every sequent 7^ h M is provable in S if and only if it is provable 
in C. 

Proof. This follows immediately from cut elimination for S and the normal form 
for S (Proposition |4]) . □ 



Lemma [5] Let 77 be an /^-derivation of 7^ h M. Then for every sequent F' h M' 
occuring in 77, we have r' U {M'} C St{r U {M}). 

Proof. By induction on |77|. It is enough to show that for each rule p in C other 
than r 

r' h M' 

Fh M 

we have that St{r U {M}) = St{r U {M'}). 
The non-trivial case is the rule blinda: 

A, sign(blind(jV, R), K), sign(jV, K),RhM 

A,sign(blind(A^,7?),7f) h M ^ 

where F — Pi IJ {sign(blind(A^, 7?), TC)}. The premise of the rule has a term 
sign(A^, K) which may not occur in the conclusion. However, the proper subterms 
of sign(A^, K) are included in the proper subterms of sign(blind(A^, 7?), K), hence 
both the premise and the conclusion have the same set of proper subterms. 
Notice that s\gn{N,K) e sst{F), since both N and K are in pst{F). Therefore 
in this case we also have that St{F U {M }) = St{F' U {M'}). □ 



Lemma [6] If there is an /^-derivation of 7^ h A7 then there is an /2-derivation of 
the same sequent whose length is at most quadratic with respect to the size of 

ru{M}. 
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Proof. Wc first note that any derivation of F ^ M can be turned into one in 
which every sequent in the derivation occurs exactly once on a branch. Our rules 
preserve their principal formula when read upwards from conclusion to premise, 
hence the left hand sides of the sequents as we go up a branch accumulate more 
and more formulae. That is, they form an increasing chain. At worst, each such 
rule adds only one formula from St(r U {M}). Thus, by Lemma [51 the number 
of different sequents on a branch is bounded by the cardinality of St{r U {M}), 
which is quadratic in the size oi F U {AI} . □ 

Lemma 12. The decidability of the relation is polynomially reducible to the 
decidability of elementary deduction Ih^. 

Proof. Recall that the relation F M holds if we can derive F \- M using 
only right-rules and id. Here is a simple proof search procedure for F h M, using 
only right-rules: 

1. If h M is elementarily deducible, then we are done. 

2. Otherwise, apply a right-introduction rule (backwards) to F h AI and repeat 
step 1 for each obtained premise, and so on. If no such rules are applicable, 
then F h AI is not derivable. 

There are at most n iterations where n is the number of distinct subterms of AI. 
Note that the check for elementary deducibility in step 1 is done on problems of 
size less or equal to n. □ 

Before we proceed with proving Theorem [21 let us first define the notion of 
a principal term in a left-rule in the proof system C (we refer to Figure [3] in the 
following definition): 

— {AI, N) is the principal term of Ip. 

— {AI}k is the principal term of le. 

— s\gn{AI, K) is the principal term of sign. 

— blind(M, K) is the principal term of blindi. 

— s\gn{b\'\nd{AI , R) , K) is the principal term of blind2. 

— A is the principal term of Is. 

Given a sequent F \- AI and a pair of principal-term and a left-rule (TV, p) , 
we say that the pair (N, p) is applicable to the sequent if 

— p is Is, N is a. guarded subterm of r' U {M}, and there is an instance of p 
with F,N \- AI as its premise; 

— pis not Is, N ^ F, and there is an instance of p with _r h Af as its conclusion; 

Let us assume that the complexity of Ih^; is 0{f{n)). We note the following 
two facts: Given a sequent F h AI and a pair of principal-term and a left-rule 
iN,p), 

Fl the complexity of checking whether {N, p) is applicable to _r h Af is 0{n^ f{n)) 
for some constant I; 
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F2 if {N, p) is applicable to P h Af , then there is a unique sequent F' \- M such 
that the sequent below is a valid instance of p: 

r'h M 
r\-M 

Note that for (Fl) to hold, we need to assume a DAG representation of sequents 
with maximal sharing of subterms. The complexity of checking whether a rule 
is applicable or not then consists of 

— pointer comparisons; 

— pattern match a subgraph with a rule; 

— checking equality module associativity and commutativity (for the rule sign); 

— and checking \\-tz- 

The first three can be done in polynomial time; and the last one is polynomially 
reducible to Ihg (Lemma [T2]) . 

Theorem [2] The decidability of the relation Ih^ is polynomially reducible to 
the decidability of elementary deduction Ih^; . 

Proof. Let n be the size of St{r U {M}). Notice that the left-rules in Figure [3] 
are invertible (they accumulate terms, reading the rules bottom-up), so one does 
not lose provability by applying any of the rules in proof search. Thus by blindly 
applying the left-rules, we eventually reach a point where the right-rule (r) is 
applicable, hence the original sequent is provable, or we reach a "fix point" 
where we encounter all previous sequents. For the latter, we show that there is 
a polynomial bound to the number of rule applications we need to try before 
concluding that the original sequent is not provable. 

Let Ml, . . . , M„ be an enumeration of the set St{r U {M}). Suppose F h 
M is provable in C. Then there is a shortest proof in F where each sequent 
appears exactly once in the proof. This also means that there exists a sequence 
of principal-term-and-rule pairs 

(M,,,pi ),..., (Af,,,p,) 

that is applicable, successively, to h AF Note that q < n hy Lemma |6l 

A simple proof search strategy for F h M is therefore to repeatedly try all 
possible applicable pairs (M', p') for each possible M' € St{F U {M}) and each 
left-rule p'. More precisely: Let j := and initialise A :— F 

1. ] :=J + L 

2. If A Ih-R, M then we are done. 

3. Otherwise, for fc = 1 to n do 

for every left-rule p do 

if {Mk,p) is applicable to AV- M, then let Fi \- M he the unique 
premise of p determined by {Mk,p) via F2 and let A := Fi. 

4. If j < n then go to step 1. 
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If the original sequent is provable, then at each iteration j, the algorithm (i.e., 
step 3) will find the correct pair {Mi. ,Pj). (Strictly speaking, the algorithm finds 
the j-th pair of a shortest proof, and not necessarily the one given above, since 
there can be more than one proof of a given length.) If no proof is found after 
n iterations, then the original sequent is not provable, since the length of any 
shortest proof is bound by n by LemmaH) By Lemma[T21 step 2 takes 0{n°- f{n)) 
for some constant a. By (Fl) above, each iteration in step 3 takes 0{n^f{n)) 
for some constant b. Since there are at most 6n distinct principal-term-and-rule 
pairs, this means step 3 takes 0{6n^~^^ f{n)). Therefore the whole procedure 
takes 0(n'^+^/(n)) where c is the greater of a and 6+1. Hence the complexity 
of ll-£ is polynomially reducible to Ih^ . □ 



A. 4 Proofs for Section [6] 

The following lemma is similar to Lemma [1] except that = now denotes equality 
modulo AC for ©i, . . . , ©„. 

Lemma 13. Let U be a derivation of Mi, . . . , Mk h N. Then for any M[, . . . , 

M^ and N' such that Mi = M- and N = N' , there is a derivation U' o/M{, 

M'^h N' such that \n\ = \n'\. 

Lemma 14. Let X and Y be normal terms. If F, f{X, Y) h M is cut-free prov- 
able in T>, where f is a constructor, then r,X,Y \- M is also cut-free provable 
in V. 

Proof. Analogous to the proof of Lemma [51 □ 

Lemma 15. Let Xi, Xk be normal terms and let 11 be a cut-free V- 

derivation of F, f{Xi, . . . , Xk)i h M , where f G Se^- Then there exists a cut-free 
V-derivation 77' of r,Xi,..., Xk h M. 

Proof. By induction on |7T|. Most cases are similar to the proof of Lemma |31 
In particular, the case involving cross-theory subterms are a straightforward 
generalisation of those involving guarded subterms in the proof of Lemma [3] 

Let N = f{Xi, . . . , Xk)i ■ The new case we need to consider is when 77 ends 
with cs : 

7Ti 7T2 

r,N^ R r,N,Rh M 
cs 

r,Nh- M 

where 7? is a cross-theory subterm of N. 

Observe that since Xi, . . . , Xk are in normal form, the term f{Xi, . . . , Xk) 
is a quasi Ei-term. As in the proof of Lemma [31 using the variable abstraction 
technique (Proposition [2] and Proposition [3]), we can show that there must be a 
cross-theory subterm 7?' in some Xi (w.l.o.g., assume i = 1) such that 7? = 7?'. 
Thus n' is constructed straightforwardly by induction hypothesis on 77i and 7T2 
followed by (possibly) an application of cs on Xi and Lemma [131 □ 
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Lemma 16. Let Mi, . . . , he normal terms and let C[. . .] he a k-hole Ei- 
context. If r, C[Mi, . . . , Mk]l \^ M is cut-free derivable in D, then F, Mi, . . . , M^ h 
M is also cut- free derivable in T). 

Proof. By induction on the size of C[. . .], Lemma [T51 and Lemma [TS] □ 
Theorem [3] The cut rule in T) is admissible. 

Proof. Analogous to the proof of Theorem [U making use of Lemma [14] and 
Lemma [161 □ 
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